Right now, a peculiar type of job interview is taking place that doesn’t require a resume. It entails breaking into a business’s website, identifying a vulnerability that no one saw, and writing about it in plain English. The payout could change someone’s life if the hole is severe enough.
This is the realm of white hat hackers, and it has subtly emerged as one of the tech industry’s more profitable sectors. Not as glamorous as an initial public offering (IPO). No press conference, no ticker symbol. A mid-level engineer would blink twice at the lengthy list of usernames on leaderboards, some of which are real and most of which are pseudonymous.
A portion of the story is revealed by the numbers. In 2020 alone, HackerOne, one of the biggest bug bounty platforms, paid out a record $40 million to hackers, with nine of them earning more than $1 million. After just two years of work, one Romanian hacker had amassed over $2 million. When Katie Paxton-Fear, a lecturer from Britain, found her first bug, she said she was “literally shaking,” not because of the money, though money was important, but rather because she had prevented a negative event from occurring.
Almost every discussion about this work is characterized by this tension between the excitement of the discovery and the gravity of the situation. It’s not credit card number theft, hoodies in dark basements, or hacking in the movie sense. It is more akin to a very particular type of locksmithing. Sometimes you are formally hired, and other times you are just asked to try to see if the locks are functional.
Scale and the location of the real money have recently changed. According to platform data from Immunefi, a bug bounty service that focuses on cryptocurrency and decentralized finance, salaries in traditional corporate cybersecurity typically plateau between $150,000 and $300,000. Vulnerabilities in DeFi protocols are being completely exploited by white hat hunters. Thirty of Immunefi’s researchers have become millionaires as a result of its facilitation of over $120 million in payouts. The hacker who discovered a fatal flaw in Wormhole’s crosschain bridge—a flaw that could have wiped out billions if first exploited by someone with worse intentions—was awarded the largest single payout ever, $10 million.
Sitting with that contrast for a moment is worthwhile. Regardless of skill, a salaried security analyst is compensated for their time. A bug bounty hunter is compensated for the results, for the one defect that counts out of a thousand that don’t. It appears to be completely discouraging people from traditional employment because it rewards a certain type of obsessive talent. American hacker Sam Curry, who began this work as a teenager in Nebraska, once reported earning about $100,000 in a year, but cautioned that the following year could easily earn only $60,000. In this world, there is no salary floor. Additionally, it appears that there is no true ceiling.

Businesses have adopted this arrangement more quickly than you might anticipate. Since making its bounty program public, Epic Games has paid out more than $3 million to hackers, and researchers have identified more than 1,200 legitimate problems. Similar initiatives are currently in place at Starbucks, Uber, Yahoo, Slack, and even the US Department of Defense.
Ray Zeisz, who works at the Friday Institute at NC State, recalls a time when this concept seemed impractical. “Some in the industry thought, ‘Oh my God, you’re crazy.'” He remarked, “You’re writing checks to the bad guys.” This skepticism has largely subsided in favor of a practical calculation: hiring outside researchers is frequently more efficient and less expensive than growing an internal security team.
Bounty programs are not universally regarded as the solution. Some researchers, such as Victor Gevers in the Netherlands, claim the programs can be too limited, limiting where hackers can search, and they will not accept any bounty money. It’s a valid point, but it’s obscured by stories about payouts worth millions of dollars. Only what it is scoped to find is found by a bounty program.
However, it appears difficult to dispute the trajectory. The incentive to identify vulnerabilities before criminals do keeps growing, as does the cost of doing so effectively, as more businesses shift their operations online and crypto protocols secure hundreds of billions of dollars in value. It’s really unclear if this turns into a stable career path or remains a high-variance gold rush. However, for the time being, those who are discovering the bugs are doing better than nearly everyone anticipated.
